To aid the UAE government's efforts to position the UAE as a leader in digital services, on 1 January 2017, the UAE Central Bank published the Regulatory Framework For Stored Values and Electronic Payment Systems (the "EPS Regulations"). The EPS Regulations apply to businesses providing digital payment services in the UAE.
The EPS Regulations require that two separate types of digital payment service provider obtain a licence in order to operate in the UAE:
1. Payment Service Providers ("PSP")
"Any institution licenced or authorized to provide digital payment services".
This might include institutions similar to paypal, Beam, Etisalat Visa, and Emirates NBD who all currently run digital payment platforms targeted at various individuals from all segments of the UAE.
PSPs are broken down into four categories:
- Retail PSP – authorised commercial banks and other licensed PSPs offering retail, Government, and peer-to-peer digital payment services as well as money remittances;
- Micropayments PSP – companies offering micropayments solutions facilitating digital payments targeting the unbanked and under-banked segments in the UAE;
- Government PSP – federal and local government statutory bodies offering government digital payment services; and
- Non-issuing PSP – non-deposit taking and non-issuing institutions who offer retail, government and peer-to-peer digital payment services.
2. Payment System Operator ("PSO")
"An entity operating a fund transfer or any other system that facilitates the circulation of digital money and who applies to become a "Designated Payment System".
From the reading of the EPS Regulations, these are systems that "settle" the payments; the back end of the digital payment ecosystem. This might include similar companies to those mentioned as examples of PSPs but the difference here is that their systems settle the payments made to the merchants.
Further clarification on this type of licensee and whether a PSO can apply for its system to qualify as a Designated Payment System is subject to a further UAE Central Bank written circular/notice which is yet to be released.
Data Protection/Storage Obligations
From 1 January 2018, those offering digital payment services in the UAE must store user and transaction data ("Data") in the UAE for 5 years from the date the user relationship ends or the transaction date.
This Data must be protected confidentially and can only be made available to the user, Central Bank, other regulatory authority upon authorisation by the Central Bank, or by UAE court order. All such Data must also be physically stored in the UAE and therefore transfer of such Data is restricted. PSPs are not permitted to process the Data unless it is for the purposes of Anti-Money Laundering or Combatting the Financing of Terrorism checks. From the wording of the EPS Regulations, it appears that the transfer of the Data outside of the free zone where the servers are located is permitted; it is the transfer outside of the UAE that is prohibited.
The EPS Regulations also require that businesses providing digital payment services in the UAE be incorporated in mainland UAE or in the free zones excluding the Dubai International Financial Centre and Abu Dhabi Global Markets.
Aside from the regulations noted above, the EPS Regulations also:
- introduce standards for the banking practices of PSPs;
- introduce a requirement that each PSP demonstrate the ability and experience to provide digital payment services;
- introduce conditions for outsourcing of the operations of PSPs; and
- introduce customer service standard/ dispute resolution obligations.
Companies have until 1 January 2018 to comply with the provisions of the EPS Regulations. If they don't, they must cease business in the UAE.
The EPS Regulations do not apply to the following:
- Payment transactions in cash without any involvement from an intermediary;
- Payment transactions using a credit/debit card;
- Payment transactions using paper cheques;
- Payment instruments accepted as a means of payment only to make purchases of goods/services provided from Issuer/any of its subsidiaries, (i.e. closed loop payment instruments). Here an "Issuer" is the PSP providing the stored value instrument enabling the customers to use the instruments at various merchants. This could include systems facilitating loyalty cards or retail loyalty applications.
- Payment transactions within a payment/settlement system between settlement institutions, clearing houses, central banks and PSPs;
- Payment transactions related to the transfer of securities/assets (including dividends, income, and investment services);
- Payment transactions carried out between PSPs (including their agents/branches) for their own accounts; and
- "Technical Service Providers". This is defined as "entities facilitating the provision of payment services to PSPs, whilst excluded at all times from possession of funds (and transference thereof)." This would, as an example, include telecommunication companies.
It is also worth noting that "Virtual Currencies" such as BitCoin are said to be prohibited in the EPS Regulations. The UAE Central Bank have since clarified in a statement issued to Gulf News that the EPS regulations are not intended to outlaw BitCoin and other cryptocurrencies but that these regulations do not apply to them. The Central Bank Governor has said that BitCoin and other cryptocurrencies are under review by the Central Bank and new regulations will be issued as appropriate.